Featured Slideshow

In a Dallas courtroom on Thursday, writer and activist Barrett Brown was sentenced to 63 months in prison and was ordered to pay a little more than $890,000 in restitution and fines, according to reports.

Upcoming Live Events

Be sure to stay tuned for breaking news on our 2015 conference and expo, which promises to deliver even more innovative programming and an enhanced showcase of the latest cyber security solutions you must see.

"Clickjacking" poses major web browser threat

“Clickjacking” has the potential to affect users of nearly all internet browsers.

Clickjacking occurs when an attacker places an invisible button under an internet user's mouse pointer just above the viewable content of the web page, Jeremiah Grossman, founder and CTO of WhiteHat Security, said in an email to SCMagazineUS.com Monday.

The attacker then waits for the user to mistakenly click the button, which can be placed anywhere on any website, Grossman said.

Once the user has clicked the infected button, they unknowingly can be forced into actions not otherwise intended, he said.

Grossman and Robert "RSnake" Hansen, founder and of CEO SecTheory, shared their findings on the topic last week at the Open Web Application Security Project (OWASP) conference in New York. One of the findings they did not include, however, was a proof-of-concept example using an Adobe product. Grossman could not divulge details, only saying it was found to be “critical.”

Adobe asked for more time to remediate the problem before public disclosure.

In an advisory, US-CERT said: "Clickjacking gives an attacker the ability to trick a user into clicking on something only barely or momentarily noticeable. Therefore, if a user clicks on a web page, they may actually be clicking on content from another page."

No fix is available.

"All of the browsers that people use on a day-to-day basis are vulnerable," Hansen told SCMagazineUS.com Monday.

Grossman gave an example of clickjacking: “Let's say a user is visiting a social network profile or any web page where an attacker's code is resident. When the user attempts to click on something, they mistakenly are clicking on a bank wire transfer, DSL router, advertising banner, or Digg, etc., button. While these are mostly harmless examples, the potential risk only goes up from there,” he said.

Grossman and Hansen said they have been researching clickjacking in depth since the middle of the year.

“Clickjacking is a well-known issue, but severely underappreciated and largely undefended, and we hope to begin changing that perception,” Grossman wrote in his blog.

In an entry on the Adobe Product Security Incident Response Team (PSIRT) blog dated Sept. 15, David Lenoe, of the Secure Software engineering team at Adobe thanked Grossman and Hansen for bringing the issue to Adobe's attention.

“While they saw this issue as primarily a web browser issue, they showed us that one of their demos included an Adobe product," he wrote. "We worked together with Robert and Jeremiah to assess the impact of this issue, and they determined that it was in our customers' best interest to refrain from making this issue public until Adobe and web browser vendors have a chance to provide a fix or fixes to our mutual customers."

Of the spread of this type of attack, Grossman said, “It is unknown if the underground has added clickjacking to their arsenal,” and added that it would be difficult to tell if they have.

"It might not be the most attractive option at an attacker's disposal," Hansen said. "There are other, easier exploits out there."

SC Magazine arms information security professionals with the in-depth, unbiased business and technical information they need to tackle the countless security challenges they face and establish risk management and compliance postures that underpin overall business strategies.